1

I'm working on a PHP login system for my website, and I've got it so that everything validates properly with the database. Once the validation has occurred, the PHP code is set to

<?php
    require("common.php");

$submitted_username = '';

if(!empty($_POST))
{
    $query = "
        SELECT
            id,
            username,
            password,
            salt,
            email
        FROM users
        WHERE
            username = :username
    ";

    $query_params = array(
        ':username' => $_POST['username']
    );

    try
    {
        $stmt = $db->prepare($query);
        $result = $stmt->execute($query_params);
    }
    catch(PDOException $ex)
    {
        die("Failed to run query: " . $ex->getMessage());
    }

    $login_ok = false;

    $row = $stmt->fetch();
    if($row)
    {
        $check_password = hash('sha256', $_POST['password'] . $row['salt']);
        for($round = 0; $round < 65536; $round++)
        {
            $check_password = hash('sha256', $check_password . $row['salt']);
        }

        if($check_password === $row['password'])
        {
            $login_ok = true;
        }
    }

    if($login_ok)
     {
        unset($row['salt']);
        unset($row['password']);

     $_SESSION['user'] = $row;


     header("Location: http://www.woodlandastronomy.org/members/private.php");
     die("Redirecting to: private.php");

     }

//lots more code for if validation failed

?>

When I load the page and enter the test credentials, everything validates fine with the SQL database, but then the page doesn't redirect, it just prints Redirecting to: private.php and stops. Is there an error in the PHP?

Here's the code for the common.php include:

ini_set('display_errors', true);
error_reporting(-1);


$username = "RatBiscuit225";
$password = "pepper";
$host = "mysql";
$dbname = "tz_users";

$options = array(PDO::MYSQL_ATTR_INIT_COMMAND => 'SET NAMES utf8');

try
{

    $db = new PDO("mysql:host={$host};dbname={$dbname};charset=utf8", $username, $password, $options);
}
catch(PDOException $ex)
{
    die("Failed to connect to the database: " . $ex->getMessage());
}

$db->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);

$db->setAttribute(PDO::ATTR_DEFAULT_FETCH_MODE, PDO::FETCH_ASSOC);

if(function_exists('get_magic_quotes_gpc') && get_magic_quotes_gpc())
{
    function undo_magic_quotes_gpc(&$array)
    {
        foreach($array as &$value)
        {
            if(is_array($value))
            {
                undo_magic_quotes_gpc($value);
            }
            else
            {
                $value = stripslashes($value);
            }
        }
    }

    undo_magic_quotes_gpc($_POST);
    undo_magic_quotes_gpc($_GET);
    undo_magic_quotes_gpc($_COOKIE);
}
  • Are you outputting anything to the browser before that header is called? – Kai Qing Aug 13 '13 at 16:35
  • 2
    "*Is there an error in the PHP?*" - Maybe. Are you reporting errors? – Wesley Murch Aug 13 '13 at 16:35
  • 3
    On the begging of the file add `ini_set('display_errors', true);` and `error_reporting(-1);` and then you will see where the problem is. – Glavić Aug 13 '13 at 16:35
  • @RootBiscuit Do what Glavić said above, at the very beginning of the entire script (if you use includes, add it to whichever file runs first in the program). – Wesley Murch Aug 13 '13 at 16:37
  • I tried the error reporting, and the only error I receive occurs when I click login. It says the header can't be modified because it was already sent on line 61. Line 61 is the line I specified above, so it shouldn't have already executed, right? –  Aug 13 '13 at 16:44
  • header will redirect the page, so you won't see the die message even if it executes, that is assuming your code doesn't print any other headers before it or fail. – Prix Aug 13 '13 at 16:51
  • See the top answer there, it has all the information you need to understand this issue. – Wesley Murch Aug 13 '13 at 16:56

1 Answers1

-1

The call to header will fail if php outputs anything to the browser. This includes things like whitespace outside of the php tags, echo statements, etc.

Can you post all the code up to the die()?

djheru
  • 3,525
  • 2
  • 20
  • 20